On Tue, 3 Aug 2004, Hallam-Baker, Phillip wrote:
Wrong and misleading as well. I have given you a large number
of specific faults: (I'll summarize)
1) Abuser can forge addresses at domain
This is a risk, not a specific threat. it appears that you are referring
to the fact that forwarded mail can only authenticate to the last sender,
not the original sender.
This is an understood issue for which other controls are relevant.
It is a way to circumvent SPF. It is not a "risk", it is a vulnerability.
2) Abuser can use stolen credential
This claim makes no sense whatsoever in the context of Sender-ID since
there is no private key coresponding to the DNS record, there is no
knowledge that can be stolen.
The vulnerabilities to DNS and BGP spoofing are understood and are
out of scope.
This has nothing to do with DNS. "Stolen Credential" means username and
password. Virus infected machines have the credentials of the machines'
owner. The virus can use these.
I didn't list DNS spoofing or BGP spoofing. BGP spoofing is beyond the
capabilities of most spammers. Its happened, but its rare. DNS spoofing,
however, is within their capabilities, but I didn't list that.
3) DNS cache problems (more records per domain, same cache size)
Irrelevant.
Impact on other protocols is relevent.
4) DNS load (more records per domain)
Irrelevant.
Impact on other protocols is relevent.
5) Ongoing Maintenance issues
Vague.
You obviously haven't read the emails. Maintainence issues were clearly
explained.
6) Migration issues
Vague and irrelevant.
You obviously haven't read the emails. Migration issues were clearly
explained.
7) IP Renumbering issues
Utterly irrelevant.
Impact on business activities is relevant.
8) Lost non-spam emails
Not an issue, all Sender-ID does is to provide a means of whitelising
good email, it is not a mechanism for rejecting bad emails, that
Impact on business activities is relevant. Lost email is an issue for
those who will lose emails and business as a result.
But I agree that SPF is just a whitelist scheme, and we already have a
perfectly good whitelist method in DNS already. We've had DNS blacklists
for many years, and it is trivial to make a DNS whitelist.
9) Lack of universal compliance.*
Uninterested.
I see that. That doesn't mean that it isn't an issue. "Lack of interest"
seems to be a common problem with anti-spam proposals. I think that's why
they fail so often.